Hello,
We have two Exchange 2013 servers, builds are 847.32 and 995.29 acting both the same. Config is for the most part identical. There are one cert issued by private CA intended for use with IIS (OWA, etc.), which have our mail server's fqdn in the subject and many alternate names (for autodiscover). There also are certificate with only fqdn subject, issued by public CA (Thawte), intended for external SMTP only. Everything worked until we had to reissue our private-signed certs to add some more alternate names.
Now exchange seems not to care about what services are selected with Enable-ExchangeCertificate,as it is stated in http://technet.microsoft.com/en-us/library/bb430748%28v=exchg.141%29.aspx
"
The certificate selection process searches for all certificates in the certificate store that have a matching FQDN. From this list, the certificate selection process identifies a list of eligible certificates. Eligible certificates must meet the following criteria:
The certificate is an X.509 version 3 or a later version certificate.
The certificate has an associated private key.
The Subject or Subject Alternate Name fields contain the FQDN that was retrieved in step 3.
The certificate is enabled for SSL/TLS use. Specifically, the SMTP service has been enabled for this certificate by using theEnable-ExchangeCertificate cmdlet.
Examining the logs, i see that exchange is using certificate with serial number matching our private-issued cert. Get-ExchangeCertificate confirms there is NO SMTP service assigned to that cert, and never have been.
Question: How can I force exchange to use our public cert for SMTP? Changing fqdn of receive connector is not an option. Reissuing public cert, so it has later "Valid from" costs money and wont really solve anything, cause we are likely mess with private cert later on some more times, getting in the same problems yet again. Thank you for reading all that wall-o-text.